dongxinxin7809 2019-06-01 11:28
浏览 127

too long

We have a site on an old codebase using PHP 5.5 (for now) and one of our integrations we interface with using SoapClient has told us they will be disabling usage of TLS < 1.2 shortly.

Currently our connections are as simple as:

$client = new SoapClient($soap_url);

What do we have to do to make sure only TLS 1.2 requests are sent? I found this answer, but I'm not entirely sure if this still applies to our situation; additionally, not sure we should be forcing Soap 1.1 either?

What are the requirements on our end to make sure we send TLS 1.2 requests?

  • 写回答

1条回答 默认 最新

  • duanfu1942 2019-06-10 21:33
    关注

    When negotiating the connection with the server, your TLS library, let's assume openSSL, is going to tell the server what your maximum supported version is. The server will then choose a version that it, and the client both support. So, assuming your client system supports TLS1.2 there is probably no action required on your part.

    TLS 1.2 support was added to OpenSSL in 1.0.1. If you are on el6 or newer and update your packages you should be fine. Check your version like so:

    # openssl version
> OpenSSL 1.0.2k-fips  26 Jan 2017

    You can check what protocols/ciphers a server supports with this nmap command:

     nmap --script ssl-enum-ciphers -p 443 stackoverflow.com

    Now, if you want to test a failure when using TLS1.1, or force a cipher or something, you will need to use PHP's stream_context_create.

    With the code below you can force use of TLS1.2 by setting the crypto_method to STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT. Or, perhaps more useful towards what you are asking, you could test the failure when forcing use of STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT. 

    <?php
$options = ['trace' => 1,
            'soap_version' => SOAP_1_2,
            'exceptions' => true,
            'location' => 'https://stackoverflow.com/foo',
            'uri' => "https://stackoverflow.com/bar",
            'stream_context' => stream_context_create([
                'ssl'=> [
                    'crypto_method' => STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT,
                    'ciphers' => 'SHA256'                        
                 ]
             ])];

$client = new SoapClient(null, $options);

try {
    $response = $client->getFoo();    
} catch (\Exception $e){    
    var_dump($client->__getLastRequest());
    var_dump($client->__getLastResponse());
    throw $e;
}


//OR, an even easier test with out a Soap Client...
$opts = [
         'ssl'=> [
             'crypto_method' => STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT,
             'ciphers' => 'SHA256',
             'verify_peer' => false,
             'verify_peer_name' => false
         ]
     ];

$context = stream_context_create($opts);
$fp = fopen('https://stackoverflow.com', 'r', false, $context);

    If things work with 1.2 and you can generate an error forcing say 1.1 then you can be pretty confident things are setup fine. Errors would be along the lines of:

    Warning: fopen(): SSL operation failed with code 1. OpenSSL Error messages: error:140830B5:SSL routines:ssl3_client_hello:no ciphers available

    fopen(): Failed to enable crypto

    When talking about SOAP version 1.1 vs 1.2 those are just different W3C standards for the Simple Object Access Protocol. More on some of the differences can be found here.

    I will just say in closing I've not tested this in PHP 5.5, that is such an old version that these days I don't have an easy way to spin it up. Think this would all still be applicable however.

    评论

报告相同问题?

悬赏问题

  • ¥15 安卓adb backup备份应用数据失败
  • ¥15 eclipse运行项目时遇到的问题
  • ¥15 关于#c##的问题:最近需要用CAT工具Trados进行一些开发
  • ¥15 南大pa1 小游戏没有界面,并且报了如下错误,尝试过换显卡驱动,但是好像不行
  • ¥15 没有证书,nginx怎么反向代理到只能接受https的公网网站
  • ¥50 成都蓉城足球俱乐部小程序抢票
  • ¥15 yolov7训练自己的数据集
  • ¥15 esp8266与51单片机连接问题(标签-单片机|关键词-串口)(相关搜索:51单片机|单片机|测试代码)
  • ¥15 电力市场出清matlab yalmip kkt 双层优化问题
  • ¥30 ros小车路径规划实现不了,如何解决?(操作系统-ubuntu)